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Ab STRACT. We Study the discrete logarithm problem for the multiplicative group 
and for elliptic curves over a finite field by using a lifting of the corresponding 
object to an algebraic number field and global duality. We introduce the signature 
of a Dirichlet character (in the multiplicative group case) or principal homoge- 
neous space (in the elliptic curve case), which is a measure of the ramification 
at certain places. We then develop signature calculus, which generalizes and re- 
fines the index calculus method. Finally, we show the random polynomial time 
equivalence for these two cases between the problem of computing signatures 
and the discrete logarithm problem. 
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1. Introduction 

Let yl be a finite abelian group, wliicii we write additively, and let x be an 
element of A. Let y be in the subgroup generated by x, so that y = nx for some 
positive integer n. Recall that the discrete logarithm problem (DLP) is to deter- 
mine n in a computationally efficient way. The computational complexity of this 
problem when the bit size of the inputs is large is the basis of many public -key en- 
cryption schemes used today. Two of the most important examples of finite abelian 
groups that are used in public-key cryptography are the multiplicative group of a 
finite field and the group of points on an elliptic curve over a finite field (see [Ko] 
and [Mill] for the original papers and [KMV] for a survey of work as of 2000). 

In what follows below, we will assume that ^ is a large prime number dividing 
the order of A and that x is an element of order I. For p a prime number and q a 
power of p, we denote by ¥q the finite field with q elements and by F* its multi- 
pUcative group of nonzero elements. 
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One of the best-known techniques to address the DLP is index calculus, which 
uses relations between elements of an abelian algebraic group to derive linear rela- 
tions between their discrete logarithms. In the case of the multiplicative group of 
a finite prime field, Fp, taking sufficiently many random liftings of elements of F* 
to integers will ensure that some will only be divisible by small (compared to p) 
prime numbers. Then such relations can be derived because we know how to effi- 
ciently factor integers that are products of powers of small prime numbers. See e.g. 
[Mc], §5. 1 or [SWD] for details. Trying to imitate this method for an elliptic curve 
by lifting the curve to an algebraic number field has turned out to be less effective, 
because the behavior of the height function on the Mordell-Weil group of the lifted 
curve makes it far more difficult to derive relations like those just mentioned in the 
multiphcative group case (see [HKT] or [JKSST] for more details). However an 
important aspect of index calculus has not been addressed in these studies, namely, 
the idea of leveraging small primes to tackle a computational problem that involves 
large primes, and it is not clear how this idea can be put to work in a setting that 
involves the Mordell-Weil groups of elliptic curves. In this paper we address this 
issue in both cases from the perspective of arithmetic duality and propose a unified 
method which we call signature calculus. 

Our general strategy to address the DLP in an abelian algebraic group is to 
take a lifting of the group to an algebraic number field and use the reciprocity law 
of global class field theory. Others have taken this approach (see e.g. [F] [FR], 
[N]), and we refine their methods and give a general exposition of the theory. We 
explain below in detail how this works for the multiplicative group of a finite field 
and for the group of points of an elliptic curve over a finite field. The idea is to 
construct a suitable "test" element, which is a Dirichlet character in the multiplica- 
tive group case and a principal homogeneous space in the elliptic curve case. This 
element pairs with the Ufting of a point of the group to give an equation between 
the local terms of this pairing. The lifting from a finite field Fp to a global field 
preserves discrete logarithms at a place over p. The reciprocity law then allows us 
to distribute information on the discrete logarithms among a set of places which 
depends on the choice of test element and the manner of lifting. We define the 
signature of these test elements and prove the equivalence of computing the signa- 
ture with the respective DLP. These signatures measure the ramification at primes 
above p and i. Though the signatures are small, they uniquely identify the objects 
they represent (Dirichlet characters and principal homogeneous spaces). They are, 
in fact, succinct representations of those objects, and the equivalence results show 
that computing these signatures (without constructing the objects they succinctly 
represent) amounts to solving discrete-log problems. 

The unifying approach based on global duality provides an ideal setting to 
compare and contrast index calculus methods in the multiplicative group and elhp- 
tic curve cases. The signature computation problem involves large primes, and the 
question naturally arises as to whether small primes can be utihzed to tackle the 
problem with greater computational efficiency, in a similar way as we mentioned 
for the multiplicative group. Following the equivalence results we show that in 
this setting, the index calculus method arises quite naturally for the discrete-log 
problem in the multiplicative case and the corresponding signature computation 



SIGNATURE CALCULUS 



3 



problem. In contrast, a similar method cannot be fashioned for the elliptic curve 
case. The success in one case and the lack thereof in the other is due to the differ- 
ence in the nature of the pairings involved. In the multiplicative case, a Dirichlet 
character which is unramified at a finite place v can nevertheless pair nontrivially 
with local non-units at v. This makes it possible for small prunes to play a role 
in forming relations among values of local pairings. In the elliptic curve case, an 
unramified principal homogenous space at a good reduction place v is one that 
extends to a principal homogeneous space under a smooth proper model of E 
over the ring of local integers Ry (please see § 1 below for more details and expla- 
nation). There is a bijection between such principal homogeneous spaces and the 
corresponding objects under the reduction of mod v (see e.g. [MET], Chapter 
in, Remark 3.11(a)). By a theorem of Lang ([L], Theorem 2), the latter objects 
are trivial. Thus, in the elliptic curve case, an unramified principal homogeneous 
space at a good reduction place is trivial. For small primes of bad reduction not 
dividing £, only the group of components of the special fibre of the Neron model of 
the elliptic curve over the ring of integers plays a role, and the order of this group 
is unlikely to be divisible by £ (see §5.1.2 below for more details). Asaresult, only 
primes of large norm can play a role in forming relations among values of local 
pairings in the elliptic curve case. 

The computational complexity of signature calculus is an intriguing question, 
since the objects involved (Dirichlet characters and principal homogeneous spaces) 
and their associated field extensions are huge, but the signatures sought are small. 
Although we show that the testing Dirichlet characters and principal homogeneous 
spaces exist, it remains an interesting question as to how they can be explicitly con- 
structed. This is easier to handle in the multiplicative case, where we also derive 
a concrete number theoretic characterization of the character signature by working 
out the local pairings using norm residue symbols. For the elliptic curve case, we 
have a partial solution. 

This paper is a more formal and detailed exposition than the survey of this 
material that appeared in [HRANTS], and it contains very significant material that 
is not in that paper. We have tried to be completely mathematically precise while 
retaining the cryptographic motivation and applications. 

The idea of using global methods in this way was originally proposed by Frey 
[F], whom we thank for inspiration, helpful discussions, and for inviting us to 
present our work at the Elliptic Curve Cryptography (ECC) conference in Bochum 
in September 2004. Methods of this type have also been used by Frey and Riick 
[FR], and by Nguyen [N]. 



2. Global Framework 

2.1. Notation and Preliminaries. If A is a locally compact abelian group that 

is either profinite or torsion, we denote by A* the group liomcont{A, Q/Z) of con- 
tinuous homomorphisms and refer to it as the Pontryagin dual of A. Note that * is 
an exact functor since Q/Z is a divisible abelian group. 
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Let K be a field, fix a separable closure K of K, and let G = Gal{K / K). Let 
M be a discrete G-module upon which G acts continuously, where G has the KruU 
topology. We will be using Galois cohomology extensively, which we will denote 
by H^{G, M) or sometimes H^{K, M) . A basic reference for this theory is [SI]. 

We shall mainly be using three types of fields: finite fields, denoted by F, al- 
gebraic number fields, denoted by K, and the completion of an algebraic number 
field at a finite place v, denoted by Ky. 

An algebraic number field will be a finite extension of the field of rational 
numbers Q. We consider equivalence classes of absolute values v on K, which 
we call places. As most of our discussion will pertain to abehan groups that are 
^-torsion, where ^ is an odd prime number, we shall ignore the real and complex 
places for the most part. 

Let i? be a discrete valuation ring with fraction field K and residue field F. 
For example, R could be the ring of integers in a K„. Let X be a smooth proper 
scheme over Y = Spec(i?). Recall that this means that the structure morphism: 

f:X^Y 

is smooth and proper. The former condition means that the fibres over K (the 
generic fibre) and F (the special fibre) are smooth, and the latter means that / 
is separated and universally closed (i.e. that if we change base by a morphism 
Z — > y, then the morphism: 

XxyZ^Z 

is closed). If X ^ y is a proper morphism, then a point P G X{K) may be lifted 
to a point in X(R). If E is an elliptic curve over K, we may clear the denomina- 
tors in a defining equation and view it as a curve over R (not necessarily smooth 
over R). Then E is proper over R, whereas the multipUcative group is affine and 
decidedly not proper. 

Recall that an elliptic curve over a field K is a smooth, projective algebraic 
curve E of genus 1 together with a distinguished rational point O, which serves as 
the identity element in an abelian group structure on E that can be defined geomet- 
rically by a chord and tangent method. We denote by E{K) the set of points of E 
over K. Recall that a principal homogeneous space under E over K is a curve F 
of genus 1 over K together with a simply transitive group action of E on F. The 
isomorphism classes of such principal homogeneous spaces are classified by the 
group H^{G, E{K)), where G = Gal{K / K). A principal homogeneous space is 
trivial if and only if it has a rational point over K, in which case it is isomorphic to 
E over K. Thus any principal homogeneous space becomes isomorphic to E over 
a finite extension of K. 

Let J\A be an algebraic group over a discrete valuation ring R and denote by M 
its fibre over the quotient field K. We will be most interested in the cases where M. 
is either the constant algebraic group Z/^Z or a smooth proper model of an elliptic 
curve E with good reduction over a completion of an algebraic number field at a 
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finite place, v. Recall that an element of {K, M) is said to be unramified if it is 
in the image of the natural map: 

H^{R,M)^H'^{G,M). 

This is a more general notion of non-ramification, which is the same as the 
usual definition when M is finite. 

Let E be an elliptic curve over F and let i? be a discrete valuation ring R with 
quotient field K and residue field F. Then a lifting E of Eto K isa smooth proper 
scheme S over R whose special fibre is E and whose generic fibre is E. We shall 
use rather simple liftings below, but let us point out that it is a theorem of Deuring 
[D] that if E is an elliptic curve over a finite field with an endomorphism ip, then 
the pair {E, ip) can be lifted to to a discrete valuation ring R whose quotient field 
is an algebraic number field. If the curve is ordinary, as are the curves we consider 
in this paper, then one can lift the curve together with the whole endomorphism 
ring. A more systematic approach to hftings of ordinary elUptic curves is given by 
Serre-Tate theory (see e.g. [S2], §5). 

Recall the Brauer group Br{K) of similarity classes of finite dimensional cen- 
tral simple algebras over K, which can be described in terms of Galois cohomology 
by 

Br{K)^ H^{G,K*). 
When K is an algebraic number field, we have the Brauer-Hasse-Noether exact 
sequence: 

(t) ^ Br{K) ^ ^ Br{K^) ^ Q/Z ^ 0. 

V 

This is the beginning of the theory of global duality, which shows how to relate the 
arithmetic of K with that of all of the K^. The following subsections review this 
theory briefly in the context in which we shall use it. 

2.2. Reciprocity Law for the Multiplicative Group. We review the reci- 
procity law in this context, mostly following the exposition of ([S 1], Chapter XIV). 
Let K* denote the set of nonzero elements of K, which is an abeUan group under 
multiplication. We consider a Dirichlet character x of K, which we view as an 
element of the Galois cohomology group H^{G, Q/Z). Thus x represents a finite 
cyclic extension L/K together with a homomorphism: 

Gal{L/K) Q/Z. 
Let d{x) denote the image of % under the boundary map 

H\G,q/Z) H'^{G,Z) 

in the long exact cohomology sequence associated to the short exact sequence of 
G-modules with trivial action: 

^ Z ^ Q ^ Q/Z 0. 
Then for a G K* we consider 
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<X,a>:=aUd{x)GH\G,K*) 

under the pairing: 

K* = H^iG,K*) X H'^{G,Z) H^{G,K*) ^ Br{K). 

If L is the extension corresponding to then we have that < x, a >= if and 
only if a is a norm from L*. 

If K is an algebraic number field, x ^ H^{G, Q/Z), a G K* and f is a place 
of K, then we can restrict x to each Ky and regard a as an element of K*. Note 
that we may have Xv = 0. We then denote the local pairing by < Xv,clv >■ v 
is a nonarchimedean place then Br{Ky) = Q/Z and we view < Xvi o-v > as an 
element of Q/Z. Note also that if u is a place where x is unramified and o is a 
unit at V, then < XvjO-v >= 0. That is, every unit is a norm from an unramified 
extension of nonarchimedean local fields. Thus < Xv, O'v >=0 for all but finitely 
many v. Since the local pairings are compatible with the global pairings, the exact 
sequence (f) above for the Brauer group of an algebraic number field shows that 
we have the reciprocity law 

^<Xv,av >=OgQ/Z. 

V 

2.3. Reciprocity Law for Elliptic Curves. Let E be an elUptic curve over K. 
Let Q e E{K) and a G H^{K, E). We consider the pairings 

<a,Q>e Br{K) 

These are not as easy to describe explicitly as in the case of the multiplicative 
group, but we give here a quick if somewhat terse definition. Given an abelian 
variety A over K, let A denote its dual, which is Ext]({A,Gm), where Gm is 
the multipUcative group scheme and the Ext is taken in the category of algebraic 
groups over K. An elliptic curve is self-dual, so that we can identify E{K) with 
Ext]^{E, Gjn)- Given Q G E{K), represent it as a 1-extension of algebraic groups 
using this identification 

and let 

(ft) Q^K* ^ X{K) E(K) 

be the short exact sequence of E'-points of these groups. Then given an element 
a G H^{G,E{K)), let < a,Q >= dQ{a), the image of a under the boundary 
map: 

H\G,E(K))^ H'^{G,K*) 
in the long exact cohomology sequence obtained from the short exact sequence 
(ft). For a G H^{G,E(K)) and Q G E{K) we denote by the image of a 
in H^{Gv,E{Ky)) (which may be zero) and by the image of Q in E{Ky). 
We can make a similar definition over the nonarchimedean fields for G 
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H\Gy,E{Ky)) and Qy G E{Ky) to get < a^,Q^ >G Br{Ky) ^ Q/Z. 

We will be interested in the situation where a G H^{K, E)[£], in which case 
we have the following commutative diagram: 

E{K)/e X H\K,E)[e] Br{K)[£] 

EiK,)/i X H^{Ky,E)[e] ^ Br{Ky)[£] 

In the case of the local field Ky, the pairing is perfect (local duality for abelian 
varieties, see e.g. [MAD], Ch. I, §3, Corollary 3.4). 

We then have that < ay,Qy >= for almost all v. The fundamental sequence 
(t), the identification Br{Ky)[i] = Z/£Z, and the commutative diagram above 
imply that for a G H^{K, E)[i] and Q G E{K), 

Y,<(^v,Qv >=ogQ/z. 

V 

2.4. Cohomological Basis of the Unified Approach. Our approach is based 
on duality theorems for Galois modules and for abelian varieties over number 
fields. Let K be an algebraic number field and Ok the ring of integers in K. 
Let X = Spec (Ox) and U he a nonempty open subset of X with complement 
S. Thus U consists of all but finitely many places of K. Let ^ be a prime num- 
ber that is invertible on U and let ^£ be the sheaf of l-th roots of unity. We are 
interested in the groups ^{U^iii). To aid us in computing them and related coho- 
mology groups, we have the Poitou-Tate exact sequence (see e.g. [MAD], Ch. I, 
§4, Theorem 4.10c): 

^ H\U, lit) ^ H\Ky,fie) ^ H\U, Z/£Zy ^ 

H\U,fie) -^^H\Ky,fie) ^ H''{U,Z/£Zy ^ 0. 

ves 

This sequence summarizes many of the basic results from class field theory. 
Let Ks be a maximal extension of K that is unramified outside S and put Gs = 
Gal{Ks / K). Then any sheaf T on U may be regarded as a Gs-module, and 
we have H'-{U,J^) = H\Gs,J^). We shall often use this latter notation for the 
multiphcative group case. We are mainly interested in the middle fine of the Poitou- 
Tate sequence: 

(*)^, : H\Gs,lit) -^^H\Ky,iie) ^ H\Gs,Z/£Zy 
ves 

and the dual sequence obtained by taking the Pontryagin dual and using Tate local 
duahty: 

{*h/a ■ H\Gs,Z/£Z) ^^H\Ky,Z/£Z) ^ H\Gs,fiiy. 
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For an elliptic curve E over K that has a smooth proper model £ over U on 
which £ is invertible, we have the Cassels-Tate exact sequence (see [MAD], Ch. II, 
§5, Theorem 5.6b): 

(**) E{Kp 0E(ii:^)W ^ H^{U, £){£}* ^ m{E){l} ^ 0. 

Here (£) denotes completion with respect to subgroups of ^-power index, {£} 
denotes the ^-primary part of a torsion abelian group, and III(£') is the Shafarevich- 
Tate group of everywhere locally trivial principal homogeneous spaces under E, 
which we assume to be finite. 

We give here a very terse explanation of the common origin of these two exact 
sequences, as it is the key to our unified approach in the multiplicative group and 
elUptic curve cases. Let be a sheaf on U and j\T denote extension of by zero 
from U to X. We denote by Hl{U, JF) the group W{X,j\J^y, this is cohomology 
with compact support. Then we have a long exact sequence of cohomology with 
support (see [MET], Chapter III, Proposition 1.25): 

• • • H's{X,j,T) ^ H\X,j,T) ^ H\U,fj,F) ^ W+\X,j,F). 

For a place v of K, let denote the henselization of the local ring of X si v 
(one can also take the completion). Then using the identifications: 

Hh{XJ^:F)^^Hl{X,j,:F) 

ves 

Hl{X,j,T) = Hl{Alj,T) 

foTveS (see [MAD], Proposition 1.1, page 182 for the last isomorphism, which 
uses the fact that we have a sheaf of the form jiJ^, we get the exact sequence 

• ■■Hl{U,T) ^ H\U,T) ^@H\K,,T) ^ Hl+\U,T) ■■■ . 

ves 

The Poitou-Tate and Cassels-Tate exact sequences are then derived from this 

one sequence by taking T = jj^i (resp. T = E) and using the Artin-Verdier duality 
theorem (see e.g. [MAD], Chapter II, §3, Corollary 3.2) (resp. the duality theorem 
for abelian varieties (see [MAD], Chapter 3, §5, Theorem 5.2)). 

3. Classical Index Calculus from the Perspective of Arithmetic Duality 

Our approach to the discrete log problem for the multiplicative group of a fi- 
nite field uses the Poitou-Tate exact sequence (*) in §2 above. For the discrete log 
problem for an elliptic curve E over a finite field with a point of order £ and a suit- 
able lifting i? of £^ to an algebraic number field K, we will use the Cassels-Tate 
sequence (**) in §2, where U is an open subset of Spec(Oft:) on which E has good 
reduction and I is invertible, and £^ is a smooth proper model of E over U . In each 
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case, the method will be to find a suitable element of H^{U, F) of order I against 
which to "test" a lifting to K of an element over the finite field whose discrete log 
we seek to compute and then use the reciprocity laws that are encoded in the exact 
sequences to create linear relations between the discrete logs. 

We demonstrate below how the classical index calculus method emerges in 
this context as the result of one particular choice of testing Dirichlet character and 
method of lifting. 

Let p and I be odd primes such that p = 1 (mod i) but p ^ 1 (mod i"^). 
Given positive integers g and t such that g mod p generates the group F*, we 
would like to compute n mod I where t = ^i** in F*. We will fix g and denote 
the discrete-log t with respect to g as 9{t). The core of the classical index calculus 
method for solving the discrete-log problem in F* is to compute 9{q) for primes q 
up to a chosen bound B. 

Let K = 0^, X = Spec(Z), and U = X — S, where 5 is a finite set of primes 
containing £. Consider the sequence of the last section. The extension 

Q(^p)/Q is cyclic of degree p — 1. Since p = 1 (mod i), there is a unique 
sub-extension L/Qof degree £. We fix an isomorphism Ga/(L/Q) = Z/£Z and 
denote by x the corresponding Dirichlet character, which is ramified only at p. 
Then x can be regarded as an element of i7^(G5, Z/£Z) if p G 5. We have that 
^ H^{Gs, w), and from {*)z/ez we have that for all a G ZJ, 

^ < Xv,av >= G Z/eZ. 
veS 

Note that 

< Xp,"p >= ^(") < Xp,9 >, 

and forqeS — {p}, 

< Xq, Oiq >= Vq{a) < Xq, Q >, 

where Vq{a) is the g-adic valuation of a. 

Let F be the set of primes up to some bound B and let S be the set F together 
with p and £. For q ^ F, since q £ Zg and g is a local unit atv qin S, 

= ^ < Xv,q >=< Xp,Q> + < Xq, Q >= d{q) < Xp,9 > + < Xq,Q> ■ 

ves 

Hence, 

0{q) = -{<Xp,9>y^ <Xq,(i> ■ 

To compute d{q) for all primes g in F, we generate random r so that g^ mod p 
is S-smooth, that is 

ar = g^ mod P = JJ^ q'^ii^) 

q&F 

with eq{r) G Z>o. Since a^. G ZJ, we have 

= ^<Xv, (.ar)v >= r < Xp,9 > + ^ eq(r) <Xq,Q> ■ 

veS qeF 
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It follows that 

qeF 

With sufficiently many ar that generate Zp/Z*p, we can solve for the unknown 
d{q) mod £. What we have derived is in essence the classical index calculus 
method. 

We remark that similar reasoning as above shows that the image of i7 ^ (6*5 , Z/ iZ) 
in0^g^ iJ^(Q^,Z/^Z), where 5 = FLJ{p},has dimension one, and the classi- 
cal index calculus method amounts to determining this image in a computationally 
efficient manner. 

In the preceding discussion, we were able to explicitly construct the desired 
Dirichlet character because we were working with abeUan extensions of Q, about 
which we know enough to explicitly compute everything we need. In the discus- 
sion below we will be working with real quadratic fields, and there we know much 
less about how to explicitly construct abelian extensions. However, using the exact 
sequence (*)^^, we will demonstrate the existence of a suitable Dirichlet charac- 
ter by explicitly computing the F^-dimensions of the first and second terms, and 
showing that the former is less than the latter. More generally, we use the follow- 
ing basic strategy to find a suitable testing element. In the multiplicative group 
case, look for an algebraic number field K such that the F^-dimension of the first 
term of the middle row of (*)^^ is smaller than that of the second. This will then 
guarantee the existence of an element of order £ in H^{Gs, Z/£Z)*. By lifting to 
units of a real quadratic field instead of to smooth integers in Z, we are more able 
to compare and contrast the discrete log problems for the multiplicative group and 
for elliptic curves over finite fields. It is an artifact of class field theory that one 
can often demonstrate the existence of an abelian extension without there being an 
obvious way to construct it explicitly. 

In the elliptic curve case, we look for an algebraic number field K together 
with an elfiptic curve E/K that lifts E, such that E{K) is of small rank, e.g. < 2. 
We also assume that at least one of the generators of the torsion-free quotient of 
E{K) is not divisible by £ in E{Ku) for all u e T, where T consists of one place 
above p and both above Una quadratic extension K/ Q in which both p and £ split. 

This approach will be developed in more detail in the next few sections. 

4. Signature Calculus for the Multiplicative Group 

4,1, Characters with Prescribed Ramification, Throughout this section, let 
p, I be rational primes with p = 1 (mod and £ > 2. Let K/ Q be a real quadratic 
extension where p and £ spht. Let a be a fundamental unit of K. Let S be the set 
of all places over £ and p, together with all the archimedean places. For any place 
u oi K let Pu denote the prime ideal corresponding to u. For any finite set S of 
places of K, let Gs denote the Galois group of a maximal extension of K that is 
unramified outside of S. 

Proposition 1 . Let S be a subset of S that contains both places over £ and 
both archimedean places. Suppose 
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(1) £ f hx where hx is the class number of K; 

(2) either a^~^ ^ 1 (mod P^) for some w G S over £, or a^~i~ ^ 1 
(mod Pw)for some w E S overp (that is, locally a is not an £-th power 
at either a place over ior a place over p). 

Then the ¥ ^-dimension ofH^{Gs, Z/^Z) equals n{S) — 1 where n{S) is the num- 
ber of finite places in S. 



Proof: Consider the sequence: 



(*)^, : H\Gs,r) ^^H\K„tie) ^ H\Gs,Z/ar ^ H^{Gs,r) ^^H\K„^e) 
ves ves 

We claim that under the hypotheses of the proposition, p is surjective. To see 
this, the hypothesis that £ does not divide the class number of K imphes that it 
does not divide the class number of Os- By Kummer theory, we then have that: 

H\Gs,l^i) = Br{Os)[i]. 
But then the map g is injective, so p is surjective. Now consider the map 

/: H\Gs,l^i)^^H\K,,i^,). 
ves 

Again using the hypothesis that £ does not divide the class number of K, we 
have that: 



0*s/Of^H\Gs,fie). 
Consider the exact sequence: 



O* ^ O*^ ^ZS ^ Cl{0) Cl{Os) 0. 

Going modulo £ and using the hypotheses of the theorem, we see that the 
sequence: 

o*/o*^ -> o*s/of ZS/IZS 

is exact. This shows that the F^-dimension of the group in the middle is n{S) + 1. 
The hypotheses about the units show that / is injective. The target has dimension 
2n{S) because H^{K^,i^i) is isomorphic to Ql/Q*J. If V I p, then this group is of 
dimension 2 over because £ \ p — 1. If v \ £, then this group is also of dimension 
2, spanned by a prime element of Qg and by a 1-unit. Thus the cokernel of h is of 
dimension n{S) — 1. This completes the proof of the proposition. 

Proposition 2. Let S be the set consisting of one place u over £, one place 
V over p, and both archimedean places. Suppose 

(1) £ f Hk where hx is the class number of K; 

(2) a'~^ ^ 1 (mod P"^) for all places w \ £; 

(3) ^ 1 (mod Py). 

Then the ¥g-dimension of H^(Gs,'Z/£Z) is one. If x is any nonzero element of 
this group, then % is ramified at u and v. 
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Proof Suppose u, u' are the places over £. Let R be the set consisting of u, u' 
and both archimedean places. Let T be the set consisting of u,u',v and both 
archimedean places. Then from Proposition[T]it follows that {Gr , Z /IIj) has di- 
mension one and H^{Gt, has dimension two. Hence there exists a nontriv- 
ialV' e H^iGR,Z/iZ),and some x G H^{Gt,Z/ a) - H^{Gr,'L/ a). By con- 
struction X is ramified at v, and by the condition on a at v we get < Xv^cnv ^■ 
As for if), by the reciprocity law we have < V'u, a« > + < V'u' ) ct«' >= 0, so either 

< Tpu,(^u > and < ^pu', ctu' > are both zero or both non-zero. But if both are zero 
then by the condition of a at n and u' it would follow that is unramified at both 
places, violating the condition that £ does not divide the class number of K. Hence 

< il^u,Oiu > and < ijjui , du' > are both non-zero. Since < Vu') >7^ 0, there 
exists c G Z/^Z such that < Xu, ctu' >= c < il^u'iOtu' >, and letting (p = x — cij}, 
we have < (/>„/, a^/ >= 0. Now G H^{Gs^Zj I'E) since < 0^/, a^i >= 0, and (\) 
is a nontrivial since < (\>v,ol^ >=< Xv, ol^ 0. Hence //^(G^, Z/^Z) is of di- 
mension at least one. Since is ramified at v! , it follows that H^{Gs,'Z/l'L), 
and since ^ E H^{Gr,Z/£Z) c if^(GT, Z/«), it follows that i7^(Gs, Z/«) is 
a proper subset of {Gt,Z/£Z), hence it can be of dimension at most one. We 
conclude that its dimension must be one, and the proposition follows. 

Remarks, (i) We explain why we made the assumptions of Proposition 2, their 
necessity and sufficiency for the conclusion, and how they affect the signature com- 
putations later in the paper: 

Condition (1) is made to ensure that the Dirichlet characters of degree £ that 
we get will not be everywhere unramified, as such characters would be of no use 
to us for the signature computation. 

Conditions (2) and (3) are meant to ensure that there do not exist characters of 
K of degree £ that are ramified only at p or only at 1. Such characters would not 
help our signature computation. For example, suppose the character x is ramified 
at V and unramified everywhere else. Then if we pair x with a global unit a of 
our real quadratic field, we would get that < Xu,ciu >= since x is unramified 
at u and a is a unit. The reciprocity law would then give us that < Xv,0'v >= 
— < Xu,cLu >= 0, and this would not help us in the signature computation. If 
neither condition (2) nor (3) holds, then there are Dirichlet characters x' and x"> 
one ramified only at u and the other ramified only at v. Thus, while the character 
X = x' + x" is ramified at both u and v, this would not help for our signature 
computation, since for a global unit a, we would have: 

< Xu, a« >=< Xn' a« > + < X«, a„ >= 0, 
since x' is ramified only at u and x" is unramified at u. Similarly for v. 

(ii) One can give an alternative (and perhaps simpler) proof of Proposition 2 
using the ideal theoretic formulation of class field theory. Briefly, using the hy- 
potheses of the proposition, one easily calculates the ^-rank of the Galois group of 
the ray class field modulo / = p[^, where p is an ideal of K lying over p and [ is 
an ideal lying over £. This is the maximal abelian extension of K with conductor 
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bounded by /, and its Galois group is isomorphic to a generalized class group by 
class field theory. Using basic exact sequences and the hypotheses of the proposi- 
tion, we can explicitly calculate this class group. The reason why we did not write 
the proof this way is that we want to stress the analogy with elliptic curves, where 
the Poitou-Tate exact sequence has an analogue (the Cassels-Tate exact sequence), 
but the ideal theoretic formulation of class field theory has no known analogue. 

Assuming the conditions in Proposition |2l then {G s , / i"^) is isomorphic 
to Z/iZ. Every nontrivial character in it is ramified at u and v and unramified 
at all other finite places; moreover, < Xu,ctu and < Xv^ol^ >^ 0, and 
< Xu,Ciu > + < Xv,Ci^ >= 0. This group of characters corresponds to a unique 
cyclic extension Ks of degree I over K which is ramified at u and v and unrami- 
fied at all other finite places. 

At u, we take the class of 1 + ^ as the generator of the group O*^^ / O*^ = 
Zyzf ^ Z/eZ. For O / x e H'^{Gs,Z/a), we call (t„(x) =< XuA + L > 
the u-signature of x- 

Let g £ Z so that g mod p generates the multiplicative group of Fp. Then the 
class of g generates 0*j^JO*j^^ ^ Z*p/Z*/ ^ Z/£Z. For x G H^{Gs, Z/iZ), we 
call cr^(x) =< Xv,gv >7^ the v-signature of x- 

We call the pair {(Tu{x)^'^v{x)) the signature of x- If we take x' satisfying the 
conditions we have put, then x' = ax for some a G {Z/IZ)* , and hence we don't 
change o'u(x)o"t,(x)~^ G Z/IZ. This last quantity only depends on Ks and we 
call it the ramification signature of Ks', it is nonzero. 

4.2. DL and Signature Computation. In this section we show that the dis- 
crete logarithm problem in the multiplicative case is random polynomial time equiv- 
alent to computing the signature of cyclic extensions with prescribed ramification 
as described in Proposition |2l 

DL Problem: Suppose we are given p, i, g and a, where p and £ are prime with 
p = I (mod £), g is a. generator for the group F*{£} of elements killed by £, and 
a G F*{£}. Then compute m mod i such that a = in Fp. 

Signature Computation Problem: Suppose we are given K, p, £, u, u', v, a and 

g, where K = Q(i/D) is a real quadratic field, £, p are primes that split in K, u 
and u' are the two places of K over £, v is a. place of K over p, a is a. unit of K, 
and 5 is a generator for F* such that: (1) the class number of K is not divisible by 

£, (2) a'-i ^ 1 (mod P^), a'^^ ^ 1 (mod P^,), and (3) ^ 1 (mod P^). 
Then compute the ramification signature, with respect to 1 + £ and g, of the cyclic 
extension of degree £ over K which is ramified at n, v and unramified elsewhere. 

Theorem 1 . The problems DL and Signature Computation are random poly- 
nomial time equivalent. 

For the proof of the theorem, we first give a random polynomial time reduc- 
tion from DL to Signature Computation. This part of the proof depends on some 
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heuristic assumption which will be made clear below. 

p-i 

Let a = g"^ in Fp where m is to be computed. If a < =1, then m = 

(mod i). So suppose a e /I. We lift a to some unit a of a real quadratic field 
K such that a = a (mod v) for some place v of K over p. This can be done as 
follows. 

(1) Compute 6 G Fp such that a6 = 1 in Fp. 

(2) c ^ 2"^ (a + b);d^ 2'^ {a - b). Note that c"^ - £ = 1, and a = c + d. 
We may assume / otherwise a? = 1 and m = (p — l)/2 or p — 1. 

(3) Treat d as an integer. Let 7 G Q be such that 7^ = 1 + d^. 

(4) Check if 1 + is a quadratic residue modulo Otherwise substitute 
d + rp for d for random r until the condition is met. This is to make sure 
that I sphts in K. 

(5) 7^ = 1 + = (mod p) implies 7 = c (mod v), and 7 = — c 
(mod v') where v and v' are the two places of K over p. 

(6) Let a = 7 + d. Then a = c + d = a (mod f ). Note that the norm of a 
is — 7^ = —1, so a is a unit of K. 

We make the heuristic assumption that it is likely for K to satisfy the condi- 
tions in Proposition [2] (Note that condition (3) is satisfied since a = a (mod v) 

p-i 

and a I 7^ 1-) We argue below that computing the discrete logarithm m where 
a = g"^ is reduced to solving the Signature Computation problem on input K, p, 
i, u, V, a and g, where K = Q(7) with 7^ = 1 + d^, a = 7 + d, u and v are as 
constructed above. A simple analysis shows that the expected time complexity in 
constructing these objects is 0{log^ p). 

For X £ H^{Gs,'^/^'^) that is ramified at u and v, and unramified elsewhere, 
we have 

=< Xu, au > + < Xv,av > ■ 

Moreover since a~i~ ^ 1 (mod v), a generates O'^^/O'^^, so < Xv,cty 0, 
and it follows that < Xu, >7^ 0. 

In general for a field k and a, 6 G k*, we write a ~' 6 if a/b G k*^. 

We have a ~' g"^ in since a = a = g"^ (mod v). Hence 

< Xv,av >=< Xv,gT >=m < Xv,gv > ■ 



Write a = ^(1 + y£) (mod with ^ = 1 after identifying a with its 
isomorphic image in Q^. Then a ~^ (1 + ly, and 

=< Xu, au >=< Xu, (1 + i)l >=y <Xu,l+iu> ■ 
Hence we have 

< Xu,au > + < Xv,av >=y <Xu,l + iu> +rn < Xv,gv > ■ 

So y(Tu{x) + fT^'^vix) = 0- From this we see that if the ramification signature 
c«(x)(o'i;(x))^ is determined then m is determined. The expected time in this 
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reduction is O(log^p). 

Next we give a random polynomial time reduction from Signature Computa- 
tion on input K, p, £, u, v, a and g, to DL on input p, £, g and a where a = a 

(mod v). 

Call the oracle to DL on input p, i, g and a to compute m such that g^ = a 
(mod p). Then a = g^ (mod v). 

Write a = ^(1 + yi) (mod £'^) with = 1 after identifying a with its 
isomorphic image in Q^. Then a ~^ (1 + i)^. Again, ^ mod i"^ and hence y can 
be computed efficiently in time O ( 1 1 a 1 1 log £ + log^ ^) = O ( 1 1 a 1 1 log p + log^ p) . 

For X G H^{Gs, Z/£Z) that is ramified at u and and unramified elsewhere, 
we have as before < Xv,o!y >=< Xv,g^ >=m< Xv,9v >,and< Xw>«w >=< 
Xu, (1 + £)l >=y <XuA + L> ■ Hence 

=< Xu, a„ > + < Xv, av>=y < Xu, 1 + 4 > +rn < Xv, Qv > 

from this we can determine the signature cru{x){'^v{x))~^ • The expected running 
time in this reduction is O ( 1 1 a 1 1 log p + log^ p) 

5. Signature Calculus for ECDL 

5.1. Preliminaries. In this section we will demonstrate the existence of prin- 
cipal homogeneous spaces of order £ under elliptic curves over number fields with 
prescribed ramification. We begin by describing H^{Ky,E)[£\ in general terms 
when E has good reduction at v. 

Lemma 1 . Let be a local field with finite residue field k. Let E be an 
elliptic curve defined over with good reduction. 

(1) Suppose the characteristic ofk is £. Then H^{K-f,, E)[£] = Z/^Z ifKy = 
Qi and£\i^E{k). 

(2) Suppose the characteristic of k is not £. Then 

(a) H\Ky,E)[£]=Qif£\#E{k); 

(b) H^{K^,E)[£] ^ Z/£Z if£ \ #E{k) but f \ #E{k). 

Proof 

Let Ei{Ky) be the kernel of the reduction map from E{Ky) to E{k). From 
the commutative diagram 

^ Ei{Ky) E{Ky) E{k) 

l£ l£ l£ 

^ Ei{Ky) E{Ky) E{k) 

and the snake lemma, we get the exact sequence 

^ Ei{Ky)[£] ^ E{Ky)[£] ^ E{k)[£] ^ Ei{Ky) / £Ei{Ky) 
E{Ky)/£E{Ky) E{k)/£E{k) 0. 
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If i does not divide the order of E(k), then E{}z) {t\ and E{k) jtEik) are both 
0. Hence E{K^)/iE{K^) ^ Ei{K^) / lEi{K^). 

To prove (1) suppose the characteristic of k is I. If /C^, = , then Ei (K^) jlEx (K^) = 
Z/iZ. If moreover \E{k)\ is not divisible by £, then E{K^)/£E{K^) ^ Ei{K^) /£Ei{K^) ^ 
Z/£Z, hence H^iK^, E) [£] ^ Z/£Z by local duality. 



To prove (2), suppose the characteristic of k is not £. Then Ei {K^ ) / £Ei {K^ ) = 
0, and it follows from the long exact sequence that E{K^)/£E{Ky) = E{k) /£E{k). 
If £ does not divide the order of E{k), then E{K^)/£E{K^) ^ E{k) /£E{k) = 0, 
and by local duality, H^{K^,E)[£] = 0. This proves 2(a). If \E{k)\ is divis- 
ible by £ but not £'^, then E{k)/£E{k) ^ Z/£Z. Hence E{K^)/£E{K^) ^ 
E{k)/£E{k) ^ Z/£Z, and by local duality, H^{K^,E)[£] = Z/£Z. Thus 2(b) 
is proved. 



5.1.1. Ranks of Quadratic Twists of Elliptic Curves over Q. Let E be an ellip- 
tic curve over Q and fix a Weierstrass equation for E: 

= + ax + b. 

Let K = Q(\/d) be a quadratic extension of Q and let E^ be the quadratic twist of 
E given by the equation 

dy'^ = + ax + b. 

Let G be the Galois group of K over Q and a a generator of G. Denote by V 
the group E{K) ®% Q, by the fixed space by a, and by the subspace of V 
where a acts by —1. Now 

Y = V+ ®V-, 

V+ = E{Q) ®z Q, and we see easily that V~ = Ed{Q) ®z Q, via the isomor- 
phism sending a point (x, y) in Ea{Q) to {x, \fdy) in V~ . 

In the algorithm in ^ l5.3l below. it will help to have a lifting E/Qof our original 
elliptic curve E/¥p such that both i?(Q) and -E'd(Q) are of rank one. Standard 
conjectures about the behavior of the rank of the Mordell-Weil group of an elliptic 
curve predict that it should be quite possible to find such a situation. For example, 
a conjecture of Goldfeld [G] says that the rank of a quadratic twist Ed of an elliptic 
curve E over Q should be on average as small as the sign of the functional equation 
of its L-function would allow, i.e. either or 1, depending on whether this sign is 
-1-1 or -1. In fact, assuming the Riemann hypothesis for all of the curves Ed, Heath- 
Brown [HB] has proved that at least 1/4 of all the Ed with the sign in the functional 
equation of the L-function being -i-l will have rank and at least 3/4 of all the Ed 
with the sign being -1 will have rank 1 (see [H-B], Theorem 4). In the algorithm, 
we will first lift E/¥p to i^/Q that has rank at least one by construction, and we will 
make the heuristic assumption that -E(Q) is of rank exactly one and therefore the 
sign of the functional equation is -1 (see [BMSW], §3 for why this is considered to 
be reasonable). Using ([RS], Theorem 7.2), Heath-Brown's result just mentioned, 
and taking sufficiently many random d, we can heuristically arrange for the sign 
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of the functional equation of to be equal to -1 and for £'d(Q) to have rank 1. 
When we make the heuristic assumption in § 15 .3 1 below that the rank of E{K) is 
exactly two, we shall mean this. 

5.1.2. The Group E{K^)/i at Bad Reduction Primes v of E. Let E be an 
elUptic curve over ¥p, p> 5, given in Weierstrass form by an affine equation 

y'^ = x"^ + dx + b. 

In the algorithm below, we will want to lift E to an elliptic curve E over Q with 
Weierstrass equation 

y'^ = x"^ + ax + b, 

having good reduction at i and such that at primes v of bad reduction, E{Ky)/£ = 
0. We give a heuristic here about why this should be possible. In our lifting in 
the algorithm presented in § 15.31 \a\ is at most and |6| is at most p"^, so the 
discriminant A of a minimal Weierstrass equation for E is of order at most p^. At a 
prime v of split multiplicative reduction prime, the group of connected components 
of the Neron model of E over the ring of integers of Q„ will be of order the power 
of V in the discriminant. Since £ is of the same order as p, this power is very unlikely 
to be divisible by £. At other primes of bad reduction, the group of connected 
components is of order at most 4 (see [Sil], Ch. VII, Theorem 6.1). Thus the order 
of the group of components is unlikely to be divisible by i. We claim that this 
implies that for any bad reduction place v of E, E{Ky)/£ = 0. To see this, recall 
that E{Ky) has a filtration: 

E{K,)^Eo{K,)^Ei{K,), 

where Eo{Ky) is the group of points specializing to points of the smooth locus 
of the special fibre E' of the minimal regular proper model £ of E over the ring of 
integers R of Ky and Ei{Ky) is the kernel of the reduction map 

Eo{Ky) ^ E'\¥). 

Now E{Ky)/ EQ{Ky) is the group of connected components of the special fibre of 
the Neron model of E over R, and Ei (K) is a pro-i;-group, where v is the residue 
characteristic of Ky. EQ{Ky) / Ei{Ky) is the group of points on the connected 
component of identity of the special fibre of the Neron model. This last group is 
isomorphic to either the additive group or the multiplicative group of the residue 
field, ¥y. Because E has good reduction at £, v £, £ is large and v is relatively 
small compared to £, it is unlikely that £ will divide v — 1. Thus it is likely that 
E{Ky)/£ = and we shall use this heuristic in the algorithm in ^ l5.3l below. 

5.2. Principal Homogeneous Spaces Ramified over p and £. Throughout 
this section, let p, I be odd, rational primes. Let i^/Q be a real quadratic extension, 
X = Spec (Ox) and S be the set of all places at which E has bad reduction, 
together with all the archimedean places. Let <S be a smooth proper model of E 
over the open subset U = X — T,. If 5 is any set of places of K containing S, 
denote by Us the open set X — S. We denote by IIl(i?) the Shafarevich-Tate group 
of everywhere locally trivial principal homogeneous spaces under E over K. 
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Proposition 3. Let S be a finite set of places of K containing all bad reduc- 
tion places of E and the places above I. Then iflil{E){f\ = 0, we have the exact 
sequence: 

E{K)/i ^ H E{K,)/i ^ iH\Us,£mr ^ 0. 
veS 

Proof: Consider the Cassels-Tate exact sequence 

(**) E{Kf^ ^ H E{K,f^ ^ H\Us, £){(.}* ^ m(E){£} ^ 0. 

Lemma 2. Let B be a torsion abelian group such that B[i"'] and B/i'^B are 
finite groups. Then we have 

B[e]* ^ B*/iB* 

and 

B{i}* ^ B*^^^ 

Proof: 

Let n be a positive integer and consider the tautological exact sequence: 

^ ^B^ B^ B/fB 0. 

Since the functor * (see § 1 for notation) is exact on the category of locally 
compact abelian groups, we get the exact sequence: 

^ (B/rB)* ^B* ^B* ^ B[r]* ^ 0. 

We then get the first conclusion of the lemma by taking n = 1 and the second by 
passing to the inverse Umit over n. This completes the proof of the lemma. 

The proposition then follows from the lemma, the assumption that III (£'){£} = 
0, and the Cassels-Tate sequence above by reducing the terms mod i. 

For the remainder of this section we assume that p and £ split in K, and that 
E has good reduction at p and i, with ^E{¥p) = i and i ^ #£^(F^). Moreover, 
because we assume that i is sufficiently large, a theorem of Kamienny [Ka] ensures 
that E{L)[£] is trivial for all quadratic extensions L over Q. Finally, we assume 
that E{Ky )/i = for all bad reduction places v of E (see §1.3 for why this is 
reasonable, heuristically). 

Proposition 4. Let S be a finite set of places ofK containing all bad reduc- 
tion places of E and the places above i. S may or may not contain places above 
p, but assume that it contains no good reduction places that do not divide i or p. 
Suppose 

(1) m{E){i} = 0; 

(2) the map E{K)/l E{Ku)/i © E{Kui)/i is an isomorphism, where u 
and u' are the two places of K over £. 

Then the ¥ ^-dimension of H^{U, S)[i] equals n{S) — 2 where n{S) is the number 
of finite places in S — T,. 
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Proof: Since III(£'){^} = 0, we have the exact sequence 

EiK)/i ^ l[EiK,)/i ^ (hHUs, £)[£])* ^ 

by Proposition [3l The middle group in the sequence Ylves ^i^v)/^ is isomorphic 
to the direct sum of n{S) copies of Z/tt by Lemma[T] Since the map 

E{K) /i E{Ku) /(. e E{K^> z/m 

is an isomorphism, it follows that the image of the map 

E{K)/i ^ W E{K,)/i 

is isomorphic to © Z/^Z. Hence the F^-dimension of H^{Us,£)[i] equals 
n{S) - 2. 

Proposition 5. Let S be the set consisting of all bad reduction places of E, 
together with the two places u and u' over I, and one place v over p. Suppose 

(1) miE){£} = 0; 

(2) the map E(K)/£ E{Ku) 1 1 © EiK^'^ji is an isomorphism. 

Then the F^-dimension of H^{U,£)[£] is one. Moreover, every nontrivial element 
of {U, £) [i] is ramified at v. 

Proof Suppose n, u' are the places over I, v, v' the places over p. Let R = 
E U {u,u'} and T = S U {u,u',v}. Then from Proposition H] we know that 
H^{UR,£)[i] has dimension zero and H^{UT,£)[i] has dimension one. So there 
exists X £ H^{Ut,£)[£] — H^{Uji,£)[£] and x must be ramified at v. This com- 
pletes the proof of the proposition. 

We remark that in the proposition above the assumption that the map E{K) /£ - 
E{Ku)/£ © E{Kui)/£ is an isomorphism can be replaced by the assumption that 
the image of E{K)/£ in E{Ku)/£ © E{Ku')/£ and in E{K^)/£ © E{Ku)/£ © 
E{Ku')/£ are both of F^-dimension two. 

Forti; = u,u' ,v, let G so that the class of i?^, generates 

E{Kyj)/£. For x £ H^{Us, £)[£] and w a place of K, we call =< Xw, Rw > 
the w-signature of x- We call (a„,au/,a^) the signature of x with respect to 
Ru, Ru' and Ry. Proposition |5] implies that < Xv,Rv for any nontrivial 
X e a^iJJs, E)\£\ and <X"''^^:> ) is the same for all such x- We call 

this pair the signature of H^{U, £)[£] with respect to Ru, Ru' and Ry. 

Since the pairing between H^{Ky, E)[£] and E{Ky) / £E{Ky) is perfect, both 
being isomorphic to 'L^/'Li, there is a unique S H'^{Ky, E)[£] such that < 
TpyjRy >= 1. Similarly, there is a unique i/^u £ such that < 

ipu,Ru >= 1> and a unique •i/'u' £ -f^"*^ (-^^m' , -E') M such that < tpu'jRu' >= 1- 
Let X e -f^^t^s,"?)!^]- Suppose Xv = civipv, Xu = aui^u and Xu' = au'^u'- Then 
< XvjRv >= ay, < Xu,Ru >= au and < Xu',Ru' >= au'- So o„, and 
Ct, constitute the signature for x with respect to Ru, Ru' and Ry. Thus the signa- 
ture (a^, a^/, a^) succinctly represents the localization of x at the ramified places. 
These localizations in turn determine x uniquely, since the Shafarevich-Tate group 
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is assumed to have trivial £-part. Tlierefore, tlie signature of x can be regarded 
as a succinct representation of x (by determining its localization at u, u' and v as 
Xu = o-ui^u, Xu' = cLu'ipu'^ and Xv = CLyiJjy). We note that this representation 
requires only O(log^) bits whereas an explicit description of x may require Q{€} 
bits. 

Suppose in addition to the map E{K)/l E{Ku)/^ © E{Ku')/l being an 
isomorphism, we assume that the map E{K)/£ — > E{K^)/i is nontrivial. In this 
case we may obtain ii^'s as follows. Let Q,R ^ E{K) so that their classes gener- 
ate E{K)/l. Suppose without loss of generality that the class of Q is nontrivial in 
E{Ku)/i and the class of R is nontrivial in E{Ku')/l. As E{K)/i E{K^)/i 
is nontrivial, the class of either Q or i? is nontrivial in E{K^)/i. Suppose with- 
out loss of generality the class of Q is nontrivial in E{Kv)/l. Then we may take 
Ry = Q, Ru = Q and Ru' = R. 

5.3. ECDL and Signature Computation. In this section we show that the 
elliptic curve discrete logarithm problem is random polynomial time equivalent to 
computing the signature of homogeneous spaces with prescribed ramification as 
described in Proposition \5\ 

ECDL: Given p, i, E, Q and R, where p and i are prime, E is an elliptic curve de- 
fined over ¥p with jj^E{¥p) = £, and non-zero points Q,R £ E{¥p), to determine 
m so that R = mQ. 

Homogeneous Space Signature Computation: Suppose we are given p, £, K, E, 
V, Q, R, where p and £ are prime, K is a quadratic field where p and £ both split, 
E is an elliptic curve defined over K with Ill{E){£} = and the discriminant 
of E being prime to £, v is a. place of K over p, Q and R G E{K) such that 
g ^ (mod £E{K^)) and the images of R and Q in E{Ku)/£ © E{Ku')/£ are 
independent, where u and u' are the two places of K over £. Then compute the 
signature of H^{Us, £)[£] with respect to Pv = Q, Pu = Q and pu' = R, where S 
is the set consisting of u, u', v and all places of bad reduction of E. (Note that 
generates E{Kw)/£E{Kw) for w = u, u' , v.) 

Theorem 2. The problems ECDL and Homogeneous Space Signature Com- 
putation are random polynomial time equivalent. 

For the proof of the theorem, we first give a random polynomial time reduction 
from ECDL to Homogeneous Space Signature Computation. This part of the proof 
depends on some heuristic assumptions which will be made clear below. 

Given E/¥p where -E'(Fp)[^] =< Q >, and R, we are to compute m so that 
R = mQ. Steps 1-3 of the reduction construct an instance p, £, K, E, v, Q, R of 
the Homogeneous Space Signature Computation problem. 

1. Construct E/Q with Q £ E{Q) such that Q = Q mod p. This can be done 
as follows. Suppose E is specified by an affine equation y"^ = + ax + b where 
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a = a mod p,b = b mod p with < a, 6 < p and Q = {u mod p, v mod p) with 
< «, u < p. Choose a random integer r, < r < p, and let Q = {u,v + rp). 
Let 6r = (t" + 'rpY ~ (^^ + ou). Then Q G Er{Q) where Er is the elhptic curve 
with the affine equation y"^ = + ax + br- Set E = Er- The point Q cannot be 
torsion for otherwise it would have to be in E{Q)[£], which has no non-zero point 
since £ is big. The height of Q is far smaller than that of a point in £E{Q), so Q 
is not in eE{q). Since E{¥p)[i] ^ Z/a, E{%)/1 ^ E{¥p)/l ^ Z/« and the 
class of Q generates E{Qp)/i. 

2. Check that E has good reduction at £ and that [^^(F^)! is not divisible by £. 
Otherwise, go back to 1. to find a different E. 

3. Lift to i? G E{K) where i^/Q is a quadratic extension in which p and 
£ both split. This can be done as follows. Suppose E is defined by the affine 
equation = x^ + ax + c. Suppose R = {fi mod p, v mod p) with < fi,u < p. 
Choose a random positive integer r < p. Set fir = ^ + rp. Let /3 be a root of 
y'^ = nf + afir + c. Then (/x^, /3) is a Uft of R in where K = Q(/3). By 
construction p splits in ii', 

E{K^)/£ ^ E{Qp)/£ ^ ^(Fp)/£ ^ Z/« 

and i? — mQ S £E{K^). Check that ^ splits in K and that the images of R and Q 
in E{Ku)/£ © E{Ku' )/£ are independent; otherwise repeat the above steps with a 
different r until a suitable K is found. Say the class of Q is nontrivial in E{Ku) /£ 
and the class of R is nontrivial in E{Ku')/£- 

4. Call the oracle for the Homogeneous Space Signature Computation on in- 
put p, £, E, K, Q, R, V to compute the signature (a,/3) of H^{Us,£)[£] with 
respect to Pv = Q, Pu = Q and pu' = R (where S is the set consisting of u,u' ,v 
and all places of bad reduction of E). Then for all nontrivial x £ H'^ {Us, £)[£], 

„ = <Xu,Qu> and p = <x./,fi./> 
<Xv,Qv> ^ <Xv,Qv> 

5. Identify Ku with and compute n so that i? = nQ (mod £E{Ku)) as 
follows. Compute d = |£'(F^)|. Observe that dQ and di? are both in Ei{Q^(). 
Compute n such that n{dQ) = (dR) (mod £) in -Ei(Q£). Then d{nQ - R) = IZ 
for some Z G £'i(Q£). Since d is not divisible by £, d~^ G Z^, so nQ — R = 
d-HZ = £{d-^Z) G ^^^(Q^). 

6. Now 

= ^ < Xt«,^«> > 

= m < Xi., Qt; > < X«, (3« > + < Xu',Ru' > ■ 

From this we get m + na + /3 = (mod ^). Hence m can be determined. 

We make the heuristic assumption that it is likely for E and K to satisfy the 
conditions in Proposition H] Note that by construction £'(Q) is of rank at least one. 
The points Q and R are likely to be integrally independent in E{K) as they both 
have small height by construction. So E{K) is likely to be of rank at least two and 
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we make the heuristic assumption that with nontrivial probability its rank is exactly 
two. Moreover, since Q G i?(Q) and R G E{K) - E{Q), the images of Q and R 
are likely to be independent in E{Ku)/i © E{Kui)/£, heuristically speaking. The 
expected running time of this reduction is dominated by Step 2 where the number 
of rational points on the reduction of E mod £ is counted. The running time of that 
step is 0(log* i) [Sc], hence it is 0{\og^p). 

Next we give a random polynomial time reduction from Homogeneous Space 
Signature Computation with input p, i, E, K, Q, R, v to ECDL with input p, £, 
E, Q, R, where E is the reduction of E mod v, Q (resp. R) is the reduction of Q 
(resp. R) mod v. 

For any nontrivial x £ H^{K, E)[i] that is unramified away from u, u' and v, 
we have 

< Xv,Qv > + < Xu,Qu > + < Xu',Qu' > = 0, 

< Xv,Rv > + < Xu, Ru> + < Xu',Ru' > = 0. 

Suppose Q = ttuiPw (mod £E{Ku,)) and R = b^Pw (mod £E{Ku,)) for 
w = u,u',v. Note that from Lemma [H a^, and by can be computed by solving 
ECDL on the reduction of E modulo v. On the other hand a^, b^ tor w = u, u', 
can be computed in a manner as described in Step 5 above. 

Then we get 

av <Xv,Pv> +au<Xu,Pu> +au' <Xu',Pu' > = 0, 

bv < Xv,Pv > +bu < Xu,Pu > +bu' < Xu',Pu' > = 

Condition (2) of Proposition \4\ implies that the two relations above are lin- 
early independent. From these we can compute the the signature of x; that is 
/ <Xu,pu> <Xu''Pu'> \ ^Yhe expected running time of this reduction can be shown 

^<Xv,Pv>' <Xv,pv> I r fc 

to be 0(log^]5) + 0(M logp) where M is the maximum of the lengths of R, Q 
andL>. 

6. Feasibility of Index Calculus 

We will derive an index calculus method for the signature computation problem 
of Dirichlet characters. We will discuss why a similar method cannot work for 
principal homogeneous spaces. 

6.1. Index Calculus for Signature Computation of Dirichlet Characters. 

Suppose we are given a real quadratic field K, primes I, p, places u, v satisfying 
the conditions in Proposition [2l Let K = Q(a) with G Z>o- To compute the 
signature of x G H^{K, Z/^Z) that is ramified precisely at u and v, we generate 
random algebraic integers P = ra + s with r, s G Z so that ra + s = g (mod v) 
and /? ~ (1 + at u for some a. Now suppose the norm of /? is S-smooth for 
some integer B. Then 

= ^ < Xw,f^w >=< Xv,gv > +a < Xu, 1 + > + 

w w 

where w in the last sum ranges over all places of K of norm less than B, vr^ is a 
local parameter at w, and is the valuation of /? under w. Hence we have obtained 
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a Z/iZ-linear relation on (< Xv,gv >) ^ < Xu, 1 + >, and (< Xv,9v >) ^ < 
Xw, T^w >■ With 0{B) relations we can solve for all these unknowns, in particular 
the signature (< Xv,gv >)"^ < XuA + 4 >■ 

6.2. The Elliptic Curve Case. We see that one important reason why index 
calculus is viable in the multiplicative case is due to the fact that locally unramified 
Dirichlet characters can be paired nontrivially with non-units. For the elliptic curve 
case, pairing a principal homogeneous space x and a global point a yields similarly 
a relation: 

= < Xv,a.u > . 

V 

However from Lemma[T]we see that in the sum above we have nontrivial contribu- 
tion from a place v \ £ (and where E has good reduction) only if £ divides #£^(F^). 
Since #£^(F^) is of the order #F„, which is the norm of v, we see that the finite 
places of good reduction that are involved in the sum are all of large norm. As 
for the bad reduction places, the heuristic assumption that we discussed just before 
Proposition |4] implies that these will not play any role in this sum, since it will 
be likely that E{Ky)/£ = for such places v, because v is of small norm. This 
explains why the index calculus method is lacking in the case of the elliptic curve 
discrete logarithm problem. 

7. Characterization of ramification signature 

Let K, £,p, u, V, S be as in Proposition |2] 

Let (7 € Z so that g mod p generates the multiplicative group of ¥p. Let w be 
the place of K{^() over v such that = C, (mod w). 

Let M = Ks be the cyclic extension corresponding to //^(Gg, Sup- 
pose X £ {G s / £'^) is nontrivial. Then x corresponds to some A G K{fi£) 
through H\K{^,e),Z/£Z) ^ H\K{fie),fii) = K{neT /K{^,e)*^, such that M{^ie) = 
K{^£){Ae), and for all a in the absolute Galois group of K, xi'^) = ^ iff (T{Ae)/Ae = 

C- 

The following proposition provides a concrete characterization of the signature 
of X- 

Proposition 6. If we identify K{pi)w with Qp and Ku with Q^, then A ~^ 
in Q™' where m = (Jv{x) =< Xv,9v >, <^nd A ~^ in Qei^e)'^'^' where 
n = (Tu{x) =< Xu, 1 + 4 >■ 

The rest of this section is devoted to the proof of this proposition. We set 
some notation first. For any local field L, let L^^ denote the maximal unramified 
extension over L. For any place uofa. number field K, let 0^ denote the local Artin 
map, 

where G'^ denotes the Galois group of the maximal abelian extension of Ky. For 

a, 6 G KifJ'i) and u a prime of K{fi£), we have 

a^-W = {a,b)ya 
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where a' = a, and {a,h)y denotes the local norm residue symbol (see p. 351 of 
[CF]). 

Lemma 3. a„(x) =< XuA+^u >= XuiOuil+i)) and ay{x) =< Xv,gv >= 
XviOvig)) 

Proof This follows directly from [SI] Chapter XIV Proposition 3. 

Proof of Proposition |6] Suppose v' is a place of K{^() such that v'\v. Then d < 
Xv, bv >=< Xv',K' > where d = [K{fi£)yi : Ky] (see [S], Proposition 7 of Ch. 
XIII). Moreover < Xv'iK' >= Xv'{Gv'{b)) = i iff {A,h)yi = Identifying i 
with C\ we may write 

d<Xv,bv >=< Xv',by' >= {A, h)yi 



We analyze the situation at p and £ separately. 

(I) At p: Q*/^ = /i^x < p > /£. So under the identification of K{p,()w with 
Qp, A = up^^^^ where = 1, and e < I. Since Qp(u"«)/Qp is unramified, 
A ~^ in Q^^ 

Letx G H'^{K,Z/a) 

< Xw,9w >= {A,g)w = -{g,A)yj 
/ a \ w{A) 



JVm-1 



g e (mod Pyj) 
c/V (mod Pyj) 



= C (mod Pw) 
Therefore, {g,A)yj = w{A). Consequently, 

< Xv,9v >=< Xw,gw >= -{g,A)^ = -w{A). 

(II) At £: Denote by u' the place of K{ni) over u. We have 

(^ - 1) < x«, 1 + 4 >=< 1 + 4' >= {A, 1 + i)u'. 
We verify below that {A,\ + i)u' = n. Then we can conclude that 

o"«(x) =< Xu, 1 + 4 >= -n. 



There is a ramified extension of degree £ over Q^, namely, the subextension Mi 
of Q_(,{C,p) of degree I over Q^. Let -0 be the ramified character in H^{Q£, TLjlTL) 
whose retriction to H^{Q£{(),Ij/iIj) corresponds to the class of under the iso- 
morphism i7i(Q^(C),Z/«) ^ H^{Qi{C),fii,) ^ QeiC)*/^- Then the kernel of V' 
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corresponds to Mi. 

There is an unramified extension N of degree i over (an Artin-Schrier 

extension). Let iV(C) = Q<?(C)(/?*) with /? G QtiC)*- Let (p be the unrami- 
fied character in H^{Qi, TLjlli) whose retriction in i7^(Qf ((^), Z/^Z) corresponds 
to the class of /3 under the isomorphism i?^((Q£(C), Z/£Z) ^ i?i(Q^(C), = 
Q^(C)7^. Note that since N is unramified, /?i G QKC)"''- 

From Tate local duality we see that H^{Q£, Z/^Z) has the same dimension as 
Q| /£. The latter is isomorphic to Z/iZ®Z /iZ. So the dimension of H^{Qi,Z/eZ) 
is two. Since the two characters ip and ip are independent, one being ramified and 
the other not, they form a basis of H^{Q£, Z/IZ) over ZjiZ. It follows that every 
character in i/^(Q£, Z/^Z) is of the form + with a, 6 G ZjlZ. The restric- 
tion of aV' + in H^{Q£{(),Z/£Z) corresponds to the class of p = C^P^, and 
gives rise to a cycUc extension M' of degree i over with M'{Q = Q^(^)(pi). 
Note that p C in Q^(C)"'^ as /?i G Q^(C)"''. 

Since (p is unramified and 1 -|- £ is a unit, 

< (^,H-£ >= 0. 

So 

< aV' + 6<^, 1 + ^ >= a < V', 1 + ^ >= a(C> 1 + 
Since 1 + £ = with ^ = 1 (mod A^), 

{7)1,1 + £) = (?7i,%_iC) = (?7i,%-i) 

{vi,Ve-i) = {m,Ve) + (.Ve,Vi) - - A) = 1- 
([CF] p.354; our symbol is written additively.) 

Therefore, < aip + btp,! + £ >= a. 

The restriction of Xu corresponds to atp + hip, with a, 6 G Z/IZ, under the 
isomorphism between H^{Ku,Z/£Z) and H^{Q£,Z/iZj). From the discussion 
above, A Q^f}^ under the identification of K{pi)u> with QeifJ-e), and C" 
in Qeiiiiy-^ 

We have 

(£-!)< Xu, 1 + 4 >=< X«', 1 + iu' >=< aijj + bip,l + £ >= a. 

So 

= <^u{x) =< Xu, 1 + 4 >= -a 
where A C" in Qeif^eT''. 
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